Finjan, an internet security firm, has discovered a new Trojan horse virus that steals money from your account. Your typical phishing or virus will steal your login credentials and send it to a thief, who either sells it or empties your account. This new virus, called URLZone, will steal your credentials but also steal money from your account, all the while displaying a fake balance when you login. How much it steals depends on your much is available, it only steals enough not to trigger a bank’s fraud detection systems.

At the moment, URLZone can only infect Windows systems using Firefox, Internet Explorer 6, 7 & 8, or Opera web browsers. Computers are infected when you open an e-mail, click on a website distributing malware, or visit an infected website using one of those browsers. When you visit a targeted bank, and it’s thus far been limited to German banks, the trojan transfers money without you even knowing.

This is the first Trojan Finjan has come across that hijacks a victim’s browser session, steals the money while the victim is doing online banking, and then covers its tracks by modifying information displayed to the victim, all in real time, Ben-Itzhak [chief technology officer at Finjan] said.

Like this article? Get all the latest articles sent to your email for free every day. Enter your email address and click "Subscribe." Your email will only be used for this daily subscription and you can unsubscribe anytime.

Wow, that’s bad. My husband and I have been using Opera browser for years, but I switched a few months ago to SeaMonkey. He still uses Opera, though, but I’m the one who does the online banking. Still scary, though.

I think the best you can do to prevent this is to be aware and proactive about what goes into your browser, including which cookies you allow. You can set most browsers to ask you before allowing individual cookies, and once you choose to allow it/disallow it permanently, you’re done. Over time, you can determine which cookies you have to have to enjoy good sites, and which are tracking cookies and not necessary. Also set the browser to delete non-critical (or all) cookies and clear the cache after each session.

If you use Firefox, you can avail yourself of this – http://noscript.net/ – which I use with SeaMonkey. I only just discovered it a few months ago, and I love it. It is extra security, because a website can’t even load everything or run scripts without your express permission. It makes me feel safer.

I also really like SeaMonkey’s mail program and especially “Composer” – the built-in text editor. I have a cheap and annoying printer, and always have trouble getting it to print right, but with Composer, it prints absolutely beautifully. These things and NoScript got me to switch from Opera, with the added plus that SeaMonkey works on more sites – such as Facebook

As for protecting yourself, why not use Mint/Quicken, Wesabe, Thrive, et al. to monitor balances and transactions? Since this trojan is setup to replicate financial institutions’ websites, using a third party account aggregator would give a second source of data that the criminals are not targeting for the fake balance in the browser. Also, for Mint and Wesabe users, you can grab your balances through your phone instead of your regular computer. Just a thought.

You would have to marry up the data shown in Mint/Quicken/Wesabe/etc. with your displayed account balance to ensure the number shown when you “logged in,” under the influence of this trojan, was correct. I don’t see anyone doing this every single time to ensure correctness.

this article does not seem credible. in order to transfer money online, you have to set up the link in advance, wait for trial deposits, verify the amount of the deposits and not before can money leave your bank to go a virus hackers bank. It says you get an email and have to clck a link. It is obviously simple phishing. just watch the url and make sure it is the url for your bank.

i just visited the Finjan website and read their version of the article. It is clearly an advertisement to sell their products but written to be disguised as NEWS. i doubt any of it is true. they are trying to scare people to make a buck.

This *specific* scam is not a threat for us in the US. It relies on the fact that German / European banks allow wire transfers from account to account. E.g. if I know your account #, I can wire you a certain amount of money. This is very easy to do online, clearly an easy way for criminals to clear out accounts. In the US, sending money “out” of an account electronically is much more difficult. Outgoing wire transfers are typically never enabled online (need to fill out forms etc), only way I can think of is online bill pay via checks which takes a lot longer and is harder to cover up. Plus you can cancel issued checks once you notice the scam.

But in general, the trick here is to monitor your accounts from multiple computers. My wife and I both have home and work computers. We each check out accounts daily, often using both computers. So if there is any funny business going on, and one of the computers is compromised, we would likely notice from another computer.

I have always been a fan of online banking, but as with any convenience it can open you up to more vulnerability. I don’t doubt that someone out there is capable of this, and it would be a nightmare to recover from. I haven’t yet heard of anyone who has had a problem with this before, but be careful!

I reduce my exposure to these types of attacks by doing all online banking from a computer that I have designated for banking tasks only. I also have an email ‘alias’ that I use only for online banking. It’s an old computer running an old OS and therefore is not a target of many these type of attacks to begin with. All other computing, internet surfing and gaming is done from a newer computer more suited for these tasks.

Currently you have JavaScript disabled. In order to post comments, please make sure JavaScript and Cookies are enabled, and reload the page.Click here for instructions on how to enable JavaScript in your browser.